I'm working on this PHP page wich includes different pages like header.php .
What I want is when you go to header.php, it redirects you to the homepage. I tried using header but when I include it, it keeps redirecting me.
I think it's possible with an if statement with $_SERVER, but I don't know how.
Anyone can help me out? Thanks in advance!
The best way to do this is to create a constant on your main landing page, so let say index.php is one of your main landing pages.
You would create a constant within there, and then do a check in all your sub templates that should only ever be included by a main page.
Example:
<?php
define("IN_VIEW",true);
require_once "header.php";
And then within header.php you can just to make sure that IN_VIEW is defined
<?php
if(!defined("IN_VIEW"))
{
die("Direct Access Forbidden");
}
//Header Here
If its not defined, then obviously the page has been loaded directly and not from index.php.
And then for every other "in-direct" page that should be secured you just place the three lines at the head of the file, and make sure the constant has been defined in your main pages (index,login,logout) etc.
if($_SERVER["PHP_SELF"] == "header.php") {
header("Location: index.php");
}
Although this isn't best practice. You shouldn't allow users to be able to access the PHP files in the first place. The simplest method of disallowing users access to this type of file is by moving the file above the document root, meaning it is impossible to request the header.php file via HTTP.
Another solution is to simply redirect everything to index.php so that direct access to any other script is prevented. On apache for example you can do this using .htaccess as follows:
RewriteEngine On
# redirect everything to index.php except exceptions
RewriteCond %{REQUEST_URI} !/robots\.txt$
RewriteCond %{REQUEST_URI} !/favicon\.ico$
RewriteCond %{REQUEST_URI} !/static/
RewriteRule ^(.*)$ index.php [L]
You can specify some exceptions such as your robots.txt file, and images directory.
Related
I am trying to stop direct access to a subdirectories and the php files within subdirectories. I've added the following code below to the .htaccess file within the subdirectories, however now the AJAX request are not working.
How can I stop access to www.example.com/subdir, but allow jQuery load & ajax functions to work?
Options -Indexes
order allow,deny
deny from all
Thank You
I would put apache directives aside, and -perhaps- focus on a php-based solution:
Make sure your file containing the jquery ajax call has a ".php" extension.
(of course inside that file, all jquery must be contained within <script> and </script> tags.
Inside your jquery function just before the ajax call, type that:
<?php $_SESSION["allow"] = "granted" ?>
(php tags run even if they are contained in "script" tags)
Open your ajax (php) file and at the very top type this:
<?php
session_start();
if((!isset($_SESSION['allow'])) && ($_SESSION['allow']!="granted")){die();}else
unset($_SESSION['allow']);
(...rest of your php code here...)
?>
... and you are Done!
P.S. Naturally, you may (or better: should) rename the sessions and give them different or more complex values, but I was just trying to point out the basic idea... Happy coding!
If your ajax function access some file that is inside that folder, you can't. As the AJAX is a requisition sent from the client browser.
Put this code in your DOCUMENT_ROOT/.htaccess file:
RewriteEngine On
## disable direct access (but allow internal or AJAX requests)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC]
RewriteRule ^subdir(/|$) - [F,NC]
Replace www.domain.com by your own domain name.
Note that this uses %{HTTP_REFERER} header to do this blocking and it is possible to manipulate this header value.
I found simplest solution using session.
project_folder
index.php
sub_dir
db_config.php
suppose you want to restrict direct access of your db_config.php,
you can do like this.
open your index.php from root and add this in first line of your code:
$sess = session_start();
$_SESSION["nuclear_weapon_key"] = "lolva";
now go to sub_dir -> open db_config.php
add this one the top of the page:
$sess = session_start();
if(isset($_SESSION['nuclear_weapon_key']) && $_SESSION['nuclear_weapon_key'] === "lolva"){ } else{ echo "LOL"; die();}
repeat this for whatever ajax/jquery containing file/s.
it worked for me.
You can use mod_rewrite to restrict access to all bet certain files in a directory. Add this to the .htaccess in that directory.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !(jsonp)|(ws)|(ajax)
RewriteRule .* - [R=404,L]
Just replace the jsonp ws ajax with the name of your files.
Ok, so I have set the .htaccess like so:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)$ index.php
so as you can see I'm parsing everything to index except files because I need to "include" the php files and also displaying of images.
If users will type for example www.site.com/login.php that will show the login php page.
How do I prevent access to the php pages but also allow to "include" them?
Move them outside of your document root. They can be safely included from there but not accessed over the web.
If I understand the question do you want to not allow the user to go to other files if not logged in ? If so you can use php sessions to set a variable that they are logged in otherwise redirect to index
(If I understand the question)
If you wanna go that route (the outside webroot advise is the correct one!) then you could use a rule like that (see regex negative lookahead):
RewriteRule ^(?!index).+\.php$ - [F]
That's sloppy in that would allow index2.php or indexdir/xyz.php still; it just pevents anything that's not index*.php from being accessed. Make sure to also disallow .cgi or .phtml or .tpl if need be.
As a precaution I am wanting to use PHP to create an easily reusable/modifiable means to redirect users to a specified URL.
I have the usual php header redirect:
<?php
header( 'Location: http://www.stackoverflow.com/' ) ;
?>
What I'd prefer to do however, as this file will be placed across a lot of directories, to make life easier, and have the url extracted from an external file, e.g.
http://www.stackoverflow.com/url.xml
This would of course contain the URL of the website in question, unless there is another way to capture the domain itself automatically? This I'm not sure.
Could anyone be kind enough to show how this would be done or provide the best approach?
Thank you.
I was thinking in the same approach as #adam , i don't recommend you to extract urls from a file because it can be read from an attacker. It's better to include them in a php file as variables, an array or any other data structure.
Store the urls once in a file called config.inc.php:
<?php
define('USER_PATH', '/redirect/user/path');
define('ADMIN_PATH', '/redirect/admin/path');
?>
Then in your php file:
<?php
include 'config.inc.php';
header( "Location: http://{$_SERVER['HTTP_HOST']} . USER_PATH ) ; //or whatever variable you want to use to redirect.
?>
If you want to redirect some folders due to security issues you can do it with an Apache's htaccess.
Just put this at root folder then add the last line as many as you want for each redirection.
Each folder mentioned here can only be accessed by scripts running on the server.
Using this every access request using HTTP gets redirected. So this only works for directories containing scripts to be included. It doesn't work for i.e. image directories whose index shouldn't be shown, but the images should stay accessible.
RewriteEngine on
RewriteBase /
RewriteRule ^includes/(.*) http://www.stackoverflow.com/ [R=301,L]
RewriteRule ^includes/(.*) http://www.stackoverflow.com/ [R=301,L]
If you aren't familiar with this you can use http://www.htaccessredirect.net/
If the file containing the url is on a domain you don't control, there are security risks.
Instead, store the url once in a file called config.inc.php:
<?php
define('REDIRECT_URL', '/redirect/path');
?>
Then include it in your project:
<?php
include 'config.inc.php';
echo REDIRECT_URL;
// /redirect/path
?>
I have made one file say a.php. Now I want some thing like if one tries to open a.php then He should ne redirected to another page of same directory of site.
I want it throght .htaccess file.
I have written this code in my .htaccess file
RewriteEngine On
# This allows you to redirect index.html to a specific subfolder
Redirect /b.php /a.php
both pages are stored in same directory..
You could try
RewriteEngine On
RewriteRule /a\.php /otherfile.php [R=301,L]
Change the filenames were necessary.
If you could be more specific as to what you wish to achieve,perhaps I can supply you with a better solution.
Question that might help:
Is it only for the file a.php, or there are other request that will be handled the same way as this pattern?
Hope it helps!
Please refere to the link below. I think so it will help you out.
How do I redirect my site using a .htaccess file?
Thanks
Or, you can use this if your script has a request string.
Like you want to stay on the same page, but not to show a request string.
(in case you want to post or get some data through scripts)
RewriteEngine on
RewriteRule ^/path/to/a/([0-9]+) /path/to/a.php?foot=$1 [PT]
Also, you should consult with the link Codemaster Gabriel and Arvind Sridharan gave you.
you can use header function in order to redirect..
try this
inside a.php
type:-
<?php
header ('location: b.php'); //lets say b.php is the file you want to redirect
?>
it will work..
and it is recommended to use this instead of .htaccess due to security reason of apache
ok assume i have php page
has this name name.php?get= and has get varible named get
ok
how i can make it appear like that name?get=
If you are using apache, mod_rewrite is one way to go. There is a whole bunch of mod_rewrite tricks here.
I'd seriously reconsider before using (or overusing) mod_rewrite.
In almost all of my projects I use a simple mod rewrite in the .htaccess:
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^.*$ ./
AddHandler php5-script .php
This tells the server to forward all pages to / (index.php) unless a file otherwise exists.
In the root directory I have a folder called "views" with all of the pages that I use. E.g. the file used for /home would actually be /views/home.php. However, in the index.php I have a script that parses the user's url, checks for the file, and includes that.
$page = substr($_SERVER['REQUEST_URI'], 1);
if(!$page) :
header("Location: /home");
if(file_exists("views/$page.php")) :
include "views/$page.php";
else :
include "views/$page.php";
endif;
This creates a variable called $page that stores the value of everything in the URL after the domain name. I use a substr() function on the Request URI to get rid of the trailing forward slash (/) on the URL.
If the variable is empty, for example if the user is simply at http://example.com or http://example.com/ then it forwards them to /home, where the script then checks for the home.php file inside of the views folder. If that file exists, it includes it, and displays it to the user.
Else, the script will simply include the 404 page telling the user that the file doesn't exist.
Hopefully this helps you, and if you need any further explanation I'd be happy to help!
I think you're wanting to re-write the URL client-side, which would include mod_rewrite.
In the route of your website, create a file called .htaccess and place the following code in it:
RewriteEngine on
RewriteRule ^name?get=(.*) /name.php?get=$1
Now when you type http://www.example.com/name?get=something, it will actually map to http://www.example.com/name.php?get=something transparently for you.
As far as i could understand your question, you can not strip the file extension because otherwise it will not run. In other words, you can not change:
name.php?get=
into
name?get=
But if you mean to create links with query string values that you can put them in hyperlinks in this way:
Click here !!
If you're looking to create links using a variable '$get', then you can create the link like this:
<a href="name.php?get=$get>Link</a>
Or if you want to get the value of the query string variable, you can use this:
$get = $_GET['get']